Capturing Security Requirements in Business Processes Through a UML 2.0 Activity Diagrams Profile

  • Alfonso Rodríguez
  • Eduardo Fernández-Medina
  • Mario Piattini
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4231)


Security has become a crucial aspect for the performance of present organizations since the protected object is the mission of them. Therefore, the management approach oriented to business processes has been a good answer for the current scenarios, changing and complex, where organizations develop their task. Both subjects form a basic requirement to reach not only the mission but also the organizational objectives in a strongly connected global economy. In this work, we will show a microprocess through which it is possible to specify and refine security requirements at a high level of abstraction, in a way that they can be incorporated into the development of a software system. In addition, an extension of UML 2.0 activity diagrams will be presented through which it is possible to identify such requirements.


Business Process Security Requirement Base Class Object Constraint Language Activity Diagram 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abie, H., Aredo, D.B., Kristoffersen, T., Mazaher, S., Raguin, T.: Integrating a Security Requirement Language with UML. In: Baar, T., Strohmeier, A., Moreira, A., Mellor, S.J. (eds.) UML 2004. LNCS, vol. 3273, pp. 350–364. Springer, Heidelberg (2004)Google Scholar
  2. 2.
    Artelsmair, C., Wagner, R.: Towards a Security Engineering Process. In: The 7th World Multiconference on Systemics, Cybernetics and Informatics, Orlando, Florida, USA, vol. VI, pp. 22–27 (2003)Google Scholar
  3. 3.
    Backes, M., Pfitzmann, B., Waidner, M.: Security in Business Process Engineering. In: van der Aalst, W.M.P., ter Hofstede, A.H.M., Weske, M. (eds.) BPM 2003. LNCS, vol. 2678, pp. 168–183. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Basin, D., Doser, J., Lodderstedt, T.: Model driven security for process-oriented systems. In: SACMAT 2003, 8th ACM Symposium on Access Control Models and Technologies, Villa Gallia, Como, Italy (2003)Google Scholar
  5. 5.
    Bock, C.: UML 2 Activity and Action Models. Journal of Object Technology 2(4), 43–53 (2003)CrossRefGoogle Scholar
  6. 6.
    Eriksson, H.-E., Penker, M.: Business Modeling with UML. OMG Press (2001)Google Scholar
  7. 7.
    Firesmith, D.: Engineering Security Requirements. Journal of Object Technology 2(1), 53–68 (2003)CrossRefGoogle Scholar
  8. 8.
    Firesmith, D.: Specifying Reusable Security. Journal of Object Technology 3(1), 61–75 (2004)CrossRefGoogle Scholar
  9. 9.
    Fuggetta, A.: Software process: a roadmap. In: ICSE 2000, 22nd International Conference on Software Engineering, Future of Software Engineering, Limerick, Ireland, pp. 25–34 (2000)Google Scholar
  10. 10.
    Herrmann, G., Pernul, G.: Viewing Business Process Security from Different Perspectives. In: 11th International Bled Electronic Commerce Conference, Slovenia, pp. 89–103 (1998)Google Scholar
  11. 11.
    Jacobson, I., Booch, G., Rumbaugh, J.: El proceso unificado de desarrollo de software, 464 p. (2000)Google Scholar
  12. 12.
    Jürjens, J.: Secure Systems Development with UML, 309 p. Springer, Heidelberg (2004)Google Scholar
  13. 13.
    Kalnins, A., Barzdins, J., Celms, E.: UML Business Modeling Profile. In: Thirteenth International Conference on Information Systems Development, Advances in Theory, Practice and Education, Vilnius, Lithuania, pp. 182–194 (2004)Google Scholar
  14. 14.
    List, B., Korherr, B.: A UML 2 Profile for Business Process Modelling. In: 1st International Workshop on Best Practices of UML (BP-UML 2005) at ER 2005, Klagenfurt, Austria (2005)Google Scholar
  15. 15.
    Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)Google Scholar
  16. 16.
    Lopez, J., Montenegro, J.A., Vivas, J.L., Okamoto, E., Dawson, E.: Specification and design of advanced authentication and authorization services. Computer Standards & Interfaces 27(5), 467–478 (2005)CrossRefGoogle Scholar
  17. 17.
    Maña, A., Montenegro, J.A., Rudolph, C., Vivas, J.L.: A business process-driven approach to security engineering. In: 14th International Workshop on Database and Expert Systems Applications (DEXA). Prague, Czech Republic, pp. 477–481 (2003)Google Scholar
  18. 18.
    Maña, A., Ray, D., Sánchez, F., Yagüe, M.I.: Integrando la Ingeniería de Seguridad en un Proceso de Ingeniería Software. In: VIII Reunión Española de Criptología y Seguridad de la Información, RECSI. Leganés, Madrid, España, pp. 383–392 (2004)Google Scholar
  19. 19.
    Mouratidis, H., Giorgini, P., Manson, G.A.: When security meets software engineering: a case of modelling secure information systems. Information Systems 30(8), 609–629 (2005)CrossRefGoogle Scholar
  20. 20.
    Object Management Group, Unified Modeling Language: Superstructure, version 2.0, formal/05-07-04 (2005),
  21. 21.
    Pressman, R.S.: Software Engineering: A Practitioner’s Approach, 6th edn., 880 p. (2006)Google Scholar
  22. 22.
    Quirchmayr, G.: Survivability and Business Continuity Management. In: ACSW Frontiers 2004 Workshops, Dunedin, New Zealand, pp. 3–6 (2004)Google Scholar
  23. 23.
    Röhm, A.W., Herrmann, G., Pernul, G.: A Language for Modelling Secure Business Transactions. In: 15th Annual Computer Security Applications Conference, Phoenix, Arizona, pp. 22–31 (1999)Google Scholar
  24. 24.
    Röhm, A.W., Pernul, G., Herrmann, G.: Modelling Secure and Fair Electronic Commerce. In: 14th Annual Computer Security Applications Conference, Scottsdale, Arizona, pp. 155–164 (1998)Google Scholar
  25. 25.
    Siponen, M.T.: Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods. Information and Organization 15, 339–375 (2005)CrossRefGoogle Scholar
  26. 26.
    Stefanov, V., List, B., Korherr, B.: Extending UML 2 Activity Diagrams with Business Intelligence Objects. In: Tjoa, A.M., Trujillo, J. (eds.) DaWaK 2005. LNCS, vol. 3589, pp. 53–63. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  27. 27.
    Vivas, J.L., Montenegro, J.A., Lopez, J.: Towards a Business Process-Driven Framework for security Engineering with the UML. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 381–395. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  28. 28.
    Zulkernine, M., Ahamed, S.I.: Software Security Engineering: Toward Unifying Software Engineering and Security Engineering. In: Idea Group (eds.) Enterprise Information Systems Assurance and Systems Security: Managerial and Technical Issues, M. Warkentin & R. Vaughn, pp. 215–232 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Alfonso Rodríguez
    • 1
  • Eduardo Fernández-Medina
    • 2
  • Mario Piattini
    • 2
  1. 1.Departamento de Auditoría e InformáticaUniversidad del Bio BioChillánChile
  2. 2.ALARCOS Research Group, Information Systems and Technologies Department, UCLM-Soluziona Research and Development InstituteUniversity of Castilla-La ManchaCiudad RealSpain

Personalised recommendations